Let's Encrypt Certificates with Other Services

by J. Edward Durrett

Let's Encrypt / FreeBSD / Asterisk / Dovecot / ejabberd / Exim

Let's Encrypt, the free Certificate Authority, provides certificates that can be used to secure other services than https. This explains how to do that using py27-certbot found in ports. The following assumes that py27-certbot is already installed and working and these services are running on different hosts or at least have different hostnames.

Asterisk

First, get the certificate:

 
certbot certonly -d host.domain.xxx 


Then, in /usr/local/etc/asterisk/sip.conf, define the name of the
certificate:

 
tlscertfile=/usr/local/etc/asterisk/tls/a-keycert.pem 


Asterisk expects this certificate to be a combination of the private
key, certificate and chain. So, we need to combine the files that were
installed by the letsencrypt command:

 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/privkey.pem > /usr/local/etc/asterisk/tls/a-keycert.pem 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem >> /usr/local/etc/asterisk/tls/a-keycert.pem 


Restart asterisk for the changes to take effect:

 
/usr/local/etc/rc.d/asterisk restart 


Then, keeping in the spirit of making this simple and automatic, put it
all in a script to be called by cron when it is time to renew:

 
#!/bin/sh 
certbot certonly -d host.domain.xxx 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/privkey.pem > /usr/local/etc/asterisk/tls/a-keycert.pem 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem >> /usr/local/etc/asterisk/tls/a-keycert.pem 
/usr/local/etc/rc.d/asterisk restart 


Dovecot

First, if you don't have a certificate for this host, get the
certificate:
 
certbot certonly -d host.domain.xxx 



Then edit /usr/local/etc/dovecot.conf:

 
ssl_cert_file = /usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem 
ssl_key_file = /usr/local/etc/letsencrypt/live/host.domain.xxx/privkey.pem 


Then, restart:
 
/usr/local/etc/rc.d/dovecot restart 


To renew the certificate, run letsencrypt again.

ejabberd

If you don't have a certificate for this host, get the certificate:

 
certbot certonly -d host.domain.xxx 

Edit /usr/local/etc/ejabberd/ejabberd.yml and define the certificate:

 
certfile: "/usr/local/etc/ejabberd/ssl/ssl.pem"

ejabberd wants the private key, certificate in chain in one file and in
that order, co combine the files:

 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/privkey.pem > /usr/local/etc/ejabberd/ssl/ssl.pem  
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem >> /usr/local/etc/ejabberd/ssl/ssl.pem 


Then, restart ejabberd:

 
/usr/local/etc/rc.d/ejabberd restart 

Put it together in a script:

 
#!/bin/sh 
certbot certonly -d host.domain.xxx 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/privkey.pem > /usr/local/etc/ejabberd/ssl/ssl.pem 
cat /usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem >> /usr/local/etc/ejabberd/ssl/ssl.pem 
/usr/local/etc/rc.d/ejabberd restart


Exim

Get a certificate for this host, if you don't have one already:
certbot certonly -d host.domain.xxx


Define the certificate in /usr/local/etc/exim/configure:

 
ssl_cert_file = /usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem 
ssl_key_file = /usr/local/etc/letsencrypt/live/host.domain.xxx/privkey.pem 


Restarting exim at this point will produce the following error in the
mainlog:
the user running exim does not have permission to read the key files  
2016-06-02 17:36:07 TLS error on connection from mx.otherdomian.xxx
[nnn.nnn.nnn.nnn] (SSL_CTX_use_certificate_chain_file
file=/usr/local/etc/letsencrypt/live/host.domain.xxx/fullchain.pem):
error:0200100D:system library:fopen:Permission denied


This is because the permissions on the folders that hold the keys are
strict. One option, although this has serious security implications, is
to relax the permissions:

 
chmod 744 /usr/local/etc/letsencrypt/live 
chmod 744 /usr/local/etc/letsencrypt/archive 


Although this works, it gives every user on the system the ability to
read the private key. Another option, is to change the ownership of the
folders to mailnull, the user that runs exim:

 
chown mailnull /usr/local/etc/letsencrypt/live 
chown mailnull /usr/local/etc/letsencrypt/archive 


That should give a message like this in the mainlog when a message comes
in:

2016-06-02 17:42:32 1b8Wdc-000377-8F <= xxx@xxxxxxxxx.com 
H=mx.xxxxxxxxx.com [000.000.000.000] P=esmtps  
X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=1843  
id=20160602174221.GC8980@xxxxxxxxx.com 


And to test it, run:

 
openssl s_client -connect host.domain.xxx:465 







Copyright (c) 2019, Jason Edward Durrett - All content on this site, unless otherwise noted, is subject to this license.

Please contact me if any errors, such as erroneous / misleading content or missing / incomplete attribution, are found.